GOVERNMENT

CISPA 2.0: House Intelligence Committee Fumbles Privacy Again

Cybersecurity bill's backers portray threat intelligence sharing as a panacea, but yet again ignore the potential privacy and security downsides.

"Hi, we're from the House of Representatives, and we're here to help you with your nagging cybersecurity issues. To receive the government's top-flight threat intelligence, just record all network-level traffic and send a copy to the NSA."

So goes the pitch for the Cyber Intelligence Sharing and Protection Act (CISPA), sponsored by House Permanent Select Committee on Intelligence chairman Mike Rogers (R-Mich.). The bill was first introduced in late 2011, only to die after facing strong opposition from the White House and civil rights groups, and never taken up in the Senate.

One criticism of CISPA was that it indemnified businesses that shared data with government agencies. The worry was simple: By collecting and sharing so much network-level data, businesses could put sensitive and private information about their employees and customers in the hands of an intelligence agency, which would then have carte blanche to use the information as it saw fit, provided it was for "national security" purposes.

Cue CISPA 2.0, introduced in February 2013. "What we came up with, we think, is the right approach. It is the one bill out of everything you've seen on both sides of this great institution of the United States Congress that protects a free and open Internet and allows people to share cyber threat information to protect their clients, their business, their [personally identifiable information]," Rogers told reporters Wednesday, reported The Hill.

Given the previous bill's untimely demise, surely Rogers' comments reflect how the committee learned from its mistakes and included tough new privacy protections in the latest version of CISPA?

Guess again. The House Intelligence Committee, before voting 18-2 last week to send the bill to the House floor -- where it could be voted on this week -- did amend CISPA in a closed-door meeting, but only to add window-dressing privacy protections. For example, instead of allowing government agencies to use collected data for any national security purpose, the bill's revised language now limits that to "cybersecurity purpose."

Minor tweaks to a bill that sparked major privacy concerns don't bespeak a rethink, and the second CISPA is facing a barrage of criticism that -- surprise, surprise -- differs little from before. "We believe the adopted committee amendments reflect a good-faith effort to incorporate some of the Administration's important substantive concerns, but we do not believe these changes have addressed some outstanding fundamental priorities," read a statement released last week by the White House National Security Council (NSC).

"We continue to believe that information-sharing improvements are essential to effective legislation," continues the NSC's statement, which many are reading as a veto threat by President Obama. "But they must include privacy and civil liberties protections, reinforce the roles of civilian and intelligence agencies, and include targeted liability protections."

Civil rights groups have leveled similar charges. "CISPA still permits companies to share sensitive and personal customer information with the government and allows the National Security Agency to collect the Internet records of everyday Americans," said Michelle Richardson, legislative counsel at the American Civil Liberties Union, in an emailed statement. "The bill continues to do so even though the NSA maintains it does not want nor need that power and cybersecurity experts tell lawmakers that sharing personal information will not protect critical infrastructure from intrusion and attack."

To be fair, House Intelligence Committee members Rep. Jan Schakowsky (D-Ill.) and Rep. Adam Schiff (D-Calif.), who both voted against sending CISPA to the floor of the House, first proposed stronger privacy amendments; none were successful. Electronic Frontier Foundation (EFF), a civil liberties group, lauded Schiff's proposal in particular because it would have required "that companies take 'reasonable efforts' to remove unnecessary personal information of users before passing data to the government," according to a blog post by EFF policy analyst Mark M. Jaycox and activism director Rainey Reitman.
"While this wouldn't fix everything that's wrong with CISPA, it would do one vital thing: help minimize how much personal information of users actually flowed to the government without a warrant," they said.

Congress arguably wants to "do something" to help the government share threat intelligence information with private businesses. But legislators need to stop fetishizing government-provided threat intelligence and portraying it as the panacea for all information security ills, while overstating the importance of having businesses share network scans with the government.

A well-defended perimeter is only half the battle in securing the government's IT environments. Agencies must also protect their most valuable data. Also in the new, all-digital Secure The Data Center issue of InformationWeek Government: The White House's gun control efforts are at risk of failure because the Bureau of Alcohol, Tobacco, Firearms and Explosives' outdated Firearms Tracing System is in need of an upgrade. (Free registration required.)

White Papers

Reports

Comments

achornback@gmail.com

User Rank: Apprentice

Wed, 04/17/2013 - 22:19

re: CISPA 2.0: House Intelligence Committee Fumbles Privacy A...

How much delay would be involved in reporting information to the Federal database if they were forced to implement the Schiff amendment? Something tells me that an obfuscation box (for lack of a better term) would add complexity and may end up causing things to get lost in the noise.

As to ideas here, since I'm of the idea that if you're going to shoot down an idea that you really need to throw another one out there - why not move up to the SIEM level instead of sticking to the network level? Use a system that both gathers all of the SIEM event information and all of the network traffic on a network segment and pass that along SIEM part. If the upstream analysis engine determines that there's something going on from looking at the SIEM events, then pull the network traffic and move to a further in-depth analysis.

That way, instead of throwing all of the network layer information at the NSA (or whoever is ultimately going to be running this system), you're using a subset - which means faster transit times, faster initial analysis and still keeping the underlying basis for that subset for further analysis should a pattern be recognized in the initial screening.

At that point, I think the argument would shift to retention times and security of the network layer traffic capture, but those are more procedural issues to deal with, rather than the need for designing an obfuscation process which may cause things to get missed in the analysis.

Sounds like de je vu.This is an absolute ridiculous attempt to address and control cyber security.It could not have come at a more convenient time, with Americans beingpreoccupied with other events that are being blasted over the news. I foundvery little covering CISPA. When I we reading about it, the mention of sharingwas the term that was frequented in place of control. Ben Franklin said it bestwhen he stated GGTheywho can give up essential liberty to obtain a little temporary safety deserveneither liberty nor safety.G I agree that cyber security needs to be addressedbut not at the cost of my freedom, find an alternative.

my congressman represents a district so blue it should insure him lifetime employment, but i had send him a rant promising that his supporting vote for this intrusion on our rights would not go unnoticed.